Vermont Passes Data Privacy Law: Vermont Data Privacy Act

The Vermont legislation bodies passed the Vermont Data Privacy Act (VDPA), the state's landmark data privacy bill. It brings significant data minimization requirements on the amount of personal data companies can collect and use, among other duties. It also grants consumers privacy rights and threatens with penalties to controllers who do not comply.

To understand it better and to prepare for compliance in 2025, read this article and start making plans to adjust.

What is the Vermont Data Privacy Act?

The Vermont Data Privacy Act is Vermont's comprehensive privacy legislation, set to take effect on July 1, 2025. This act aims to enhance data protection and privacy rights for Vermont residents. Notably, it grants individuals a private right of action starting from January 1, 2027, allowing them to seek legal recourse for violations of their data privacy rights.

Does the VDPA apply to my business?

The Vermont Data Protection Act (VDPA) applies to persons conducting business in Vermont or producing products or services targeted to Vermont residents, who during the preceding calendar year:

• Controlled or processed the personal data of at least 25,000 consumers, excluding data processed solely for payment transactions.
• Controlled or processed the personal data of at least 12,500 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The health data provisions apply to all persons conducting business in Vermont or producing products or services targeted to Vermont residents, regardless of the number of consumers' data controlled or processed.

What is personal data under the Vermont comprehensive data privacy legislation?

Personal data is any information that could identify an individual, directly or indirectly.

The VDPA goes further to define what sensitive data is. The definition is necessary because the law gives it a special regime.

The following categories of data are considered sensitive:

According to the VDPA, "sensitive data" includes personal data that:

• Reveals a consumer’s government-issued identifier, such as a Social Security number, passport number, state identification card, or driver’s license number, that is not required by law to be publicly displayed.
• Reveals a consumer’s racial or ethnic origin, national origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.
• Reveals a consumer’s sexual orientation, sex life, sexuality, or status as transgender or nonbinary.
• Reveals a consumer’s status as a victim of a crime.
• Is financial information, including a consumer’s tax return and account number, financial account log-in, financial account, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
• Is consumer health data.
• Is personal data collected and analyzed concerning consumer health data or personal data that describes or reveals a past, present, or future mental or physical health condition, treatment, disability, or diagnosis, including pregnancy, to the extent the personal data is not used by the controller to identify a specific consumer’s physical or mental health condition or diagnosis.
• Is biometric or genetic data.
• Is personal data collected from a known minor.
• Is precise geolocation data.

Do we need a privacy policy?

A controller must provide a privacy policy that is reasonably accessible, clear, and meaningful, containing the following information:

• Categories of personal data processed
• Purposes of processing
• Consumer rights and how to exercise them
• List all categories of personal data, including sensitive data, that the controller shares with third parties.
• All categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data.
• Contact Information
• Controller Identification
• A clear and conspicuous description of any processing of personal data for targeted advertising, sale of personal data to third parties, or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and a procedure by which the consumer may opt out of this type of processing.

What are the VDPA consumer rights?

Consumers in Vermont have the right to:

• Know about the processing
• Access their information
• Delete their data
• Correct their data
• Opt-out oif the sale of personal data and targeted advertising

Consumers can submit consumer requests and you'll be abliged to respond within 45 days.

What are the VDPA opt-out requirements?

The Vermont Data Privacy Act requires businesses to provide clear opt-out mechanisms for consumers. Specifically, businesses must offer a conspicuous link on their website that allows consumers to opt out of the sale of their personal data. This link should be easily accessible and prominently displayed, ensuring that consumers can exercise their opt-out rights without difficulty.

In addition to the direct opt-out link, businesses are also required to recognize universal opt-out mechanisms. This means that businesses must comply with signals sent by consumers through browser settings or other automated tools indicating their preference to opt out of data sales.

What are the duties of controllers and processors?

Controllers, i.e. the companies who decide to process data, have the following general duties:

• Limit the processing to the purpose the data has been coillected
• Process only the minimum amount of data needed for the purposes
• Not sell sensitive daat
• Not discriminate
• Implement technical and organizations measures for data security
• Honor consumer requests
• Have written contracts with data processors
• Conduct data protection assessments where required

Processors, the companies you hire to process data on your behalf, have the following duties:

• Follow controllers instructions about the processing
• Enable the controller to respond to consumer requests
• Ensure data security
• Help the controller in conducting data protection assessment

Do we need to conduct a privacy impact assessment?

Controllers are required to conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer. This general requirement ensures that controllers thoroughly evaluate and mitigate potential risks associated with their data processing activities.

Specific situations requiring a data protection assessment include processing personal data for targeted advertising, selling personal data, and profiling that poses a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational injury, or significant intrusion into consumers' private affairs. Additionally, processing sensitive data necessitates an assessment to ensure appropriate safeguards are in place.

Controllers must retain data protection assessments for at least five years. The Attorney General can request disclosure of these assessments during investigations, but such disclosures do not waive attorney-client privilege or work product protection and remain confidential under the Public Records Act.

Penalties and enforcement of the Vermont data privacy bill

Attorney General enforces the Vermont privacy law. The fines are up to $10.000 per violation, which is higher than the usual $7.500 in other states.

However, no one would be fined if they remedy the violation within a 60-day cure period.

The VDPA also provides for a private right of action in specific circumstances. Notably, this right is available to consumers harmed by violations committed by data brokers or large data holders, as outlined in the bill.